The U.S. Department of Health and Human Services Office for Civil Rights has imposed a civil money penalty of $4.3 million on Cignet Health of Prince George’s County, Md. for violating patients’ rights by denying them access to their medical records, which is required by the Privacy Rule of the Health Insurance Portability and Accountability Act. The HHS civil money penalty is the first for a covered entity’s violations of the HIPAA Privacy Rule.

The agency also found that Cignet failed to cooperate with its investigations and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The monetary penalty for these violations is $3 million.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”